From 43fba4e94a134b3ca55bed68e109b88f6af83ce9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marek=20Marczykowski-G=C3=B3recki?=
 <marmarek@invisiblethingslab.com>
Date: Sun, 2 Sep 2018 07:05:06 +0200
Subject: [PATCH] debian: do not add user to sudo group, lock root account

The qubes-core-agent-passwordless-root package ships sudo configuration,
adding to sudo group isn't needed.

Basically revert all changes made by qubes-core-agent-passwordless-root
installation.

Fixes QubesOS/qubes-issues#4015
---
 debian/qubes-core-agent-passwordless-root.postrm  | 3 +++
 debian/qubes-core-agent-passwordless-root.preinst | 1 -
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/debian/qubes-core-agent-passwordless-root.postrm b/debian/qubes-core-agent-passwordless-root.postrm
index e07b8ba..a98270b 100755
--- a/debian/qubes-core-agent-passwordless-root.postrm
+++ b/debian/qubes-core-agent-passwordless-root.postrm
@@ -38,6 +38,9 @@ set -e
 
 if [ "${1}" = "remove" ] ; then
     gpasswd -d user sudo
+    if [ "$(passwd -S root|cut -f 2 -d ' ')" = "NP" ]; then
+        passwd -l root
+    fi
 fi
 
 
diff --git a/debian/qubes-core-agent-passwordless-root.preinst b/debian/qubes-core-agent-passwordless-root.preinst
index fdd0079..b72057e 100755
--- a/debian/qubes-core-agent-passwordless-root.preinst
+++ b/debian/qubes-core-agent-passwordless-root.preinst
@@ -35,7 +35,6 @@ set -e
 
 if [ "$1" = "install" ] ; then
     usermod -p '' root
-    usermod -a --groups sudo user
 fi
 
 # dh_installdeb will replace this with shell code automatically